Let’s Encrypt Expands to Issue SSL/TLS Certificates for IP Addresses

Let’s Encrypt, a leading certificate authority (CA) known for providing free SSL/TLS certificates since 2015, has issued its first-ever certificate for an IP address.

This development, announced earlier in January, marks a significant step in expanding secure communication options for Internet infrastructure.

The organization is now rolling out this feature gradually to its subscribers, with general availability in production expected later in 2025 alongside short-lived certificates.

This move addresses a long-standing request from users who, until now, had to rely on a limited number of other CAs to secure IP addresses directly, a niche but critical need in specific technical scenarios.

Why IP Address Certificates Matter

Unlike domain names, which are the human-readable identifiers most Internet users interact with (e.g., letsencrypt.org), IP addresses numerical labels such as 54.215.62.21 (IPv4) or 2600:1f1c:446:4900::65 (IPv6) are the backbone of Internet routing.

While the Domain Name System (DNS) seamlessly translates domain names to IP addresses behind the scenes, direct interaction with IP addresses is rare for end users.

However, certain use cases demand secure connections to IP addresses without an associated domain.

These include securing DNS over HTTPS (DoH) servers for authenticated client connections, providing default pages for hosting providers when users input raw IP addresses, enabling HTTPS access to home devices like network-attached storage without a domain, and securing ephemeral cloud infrastructure connections.

According to the Report, Let’s Encrypt’s decision to support IP address certificates, though less common due to the dynamic nature of IP assignments and weaker ownership guarantees compared to domain names, fills a critical gap.

IP addresses can change frequently, especially for residential users with dynamic IPs, and shared IPs can complicate direct connections, often reducing the utility of such certificates yet the demand persists for specific technical setups.

Implementation Details and Policies

Currently, IP address certificates are accessible in Let’s Encrypt’s staging environment, with production rollout planned for later in 2025.

These certificates adhere to strict policies: they must be short-lived, valid for approximately six days, to mitigate risks associated with IP reassignment.

Subscribers must use ACME clients supporting the draft ACME Profile specification and configure them to request the “short-lived” profile.

Validation is restricted to HTTP-01 and TLS-ALPN-01 challenge methods, as DNS challenges are incompatible with proving control over an IP.

Some client software may require updates to align with these requirements, and Let’s Encrypt encourages users and developers to seek assistance via their community forum if issues arise.

Prior to full rollout, select partners may be allow-listed to test and provide feedback, ensuring a smooth integration.

This cautious approach reflects Let’s Encrypt’s commitment to balancing innovation with security, building on prerequisites like short-lived certificate infrastructure before enabling this feature. ‘

For most subscribers, domain-based certificates remain sufficient, but for those with specialized needs, this update unlocks new possibilities in securing Internet infrastructure directly at the IP level, reinforcing trust and encryption across diverse environments.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free